At 09:39 2/5/2002, John H. Jenkins wrote:
>Y'know, I must confess to not following this thread at all. Yes, it is
>impossible to tell from the glyphs on the screen what sequence of Unicode
>characters was used to generate them. Just *how*, exactly, is this a
>security problem?
I was wondering the same thing.
I can make an OpenType font for that uses contextual substitution to
replace the phrase 'The licensee also agrees to pay the type designer
$10,000 every time he uses the lowercase e' with a series of invisible
non-spacing glyphs. Of course, the backing store will contain my dastardly
hidden clause and that is the text the unwitting victim will electronically
sign. Hahahaha, he laughed maniacally!
This has nothing to do with encoding, does not rely on difficult and
totally improbable manipulation of a bidirectional algorithm and, most
relevantly, is *not* a security problem in the OpenType font specification.
It is an example of fraud. I suppose if there was a software solution to
all such dangers, we wouldn't need police, felony charges, the court
system, prisons, or any of the other things we rely on to protect honest
people against dishonest.
John Hudson
Tiro Typeworks www.tiro.com
Vancouver, BC tiro@tiro.com
... es ist ein unwiederbringliches Bild der Vergangenheit,
das mit jeder Gegenwart zu verschwinden droht, die sich
nicht in ihm gemeint erkannte.
... every image of the past that is not recognized by the
present as one of its own concerns threatens to disappear
irretrievably.
Walter Benjamin
This archive was generated by hypermail 2.1.2 : Tue Feb 05 2002 - 19:15:54 EST